Enhance infrastructure and application configurations

- Updated AGENTS.md to include new directories for execution plans and implemented feature reports.
- Modified Ansible host variables for dev-02 and gpu-01 to change API endpoints and add new configurations for Scaleway.
- Adjusted firewall rules in gpu-01 to allow HTTPS traffic instead of the previous Ollama port.
- Added OAuth2 proxy configurations to gpu-01 for enhanced security.
- Removed deprecated open-webui module from Terraform app configurations.
- Updated Terraform configurations to reflect changes in local variables and removed unused secrets.
- Created a new sectool.json file for CloudNS integration with Bitwarden.
- Enhanced SELinux configurations for nginx to allow connections to any port and added oauth2-proxy port.
This commit is contained in:
2026-07-12 16:28:45 -04:00
parent a4a8554fb6
commit 8724360fb2
23 changed files with 2106 additions and 77 deletions
@@ -10,6 +10,7 @@ llama_server_extra_groups: "users,video"
llama_server_devices: []
llama_server_env: {}
llama_server_port: 11434
llama_server_bind: "0.0.0.0"
llama_server_preset_global: {}
llama_server_host: "127.0.0.1"
llama_server_argv_extra: []
+1 -1
View File
@@ -135,7 +135,7 @@
state: started
device: "{{ llama_server_devices | default(omit) }}"
env: "{{ llama_server_env | default(omit) }}"
ports: "0.0.0.0:{{ llama_server_port }}:8080/tcp"
ports: "{{ llama_server_bind }}:{{ llama_server_port }}:8080/tcp"
volumes:
- "{{ llama_server_home }}/models:/models:Z"
- "{{ llama_server_home }}/.cache:/app/.cache:Z"
+15
View File
@@ -44,3 +44,18 @@
become: true
ansible.builtin.command: restorecon -Rv /etc/letsencrypt
changed_when: false
- name: Set SELinux boolean to allow nginx to connect to any port
become: true
ansible.builtin.command: semanage boolean -m --on nginx_connect_any
failed_when: false
changed_when: false
when: ansible_selinux.status == "enabled"
- name: Add oauth2-proxy port to SELinux http_port_t
become: true
ansible.builtin.command: >-
semanage port -a -t http_port_t -p tcp {{ nginx_proxy_oauth2_proxy_port }}
failed_when: false
changed_when: false
when: ansible_selinux.status == "enabled"
@@ -22,6 +22,7 @@
mode: "0755"
owner: root
group: root
remote_src: true
- name: Create oauth2-proxy config directory
become: true
@@ -13,6 +13,7 @@ server {
add_header Strict-Transport-Security "max-age={{ nginx_proxy_nginx_hsts_max_age }}; {{ nginx_proxy_nginx_hsts_include_subdomains | ternary('includeSubDomains', '') }}" always;
{% if not (item.no_auth | default(false) | bool) %}
# Redirect unauthenticated requests to OAuth2 sign-in
error_page 401 = /oauth2/sign_in;
@@ -52,13 +53,16 @@ server {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
}
{% endif %}
location / {
{% if not (item.no_auth | default(false) | bool) %}
auth_request /oauth2/auth;
auth_request_set $auth_status $upstream_status;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
{% endif %}
add_header Strict-Transport-Security "max-age={{ nginx_proxy_nginx_hsts_max_age }}; {{ nginx_proxy_nginx_hsts_include_subdomains | ternary('includeSubDomains', '') }}" always;
proxy_pass http://{{ item.upstream.host }}:{{ item.upstream.port }};